Implementing Controls

Implementation Flow

Implementing a control in Imara involves four main steps: assign an owner, read the implementation guidance, collect evidence, and validate with tests.

1. Assign an Owner

Each control must have an owner — the team member responsible for implementing and maintaining the security measure. To assign an owner, open the control and use the Owner field. The assigned user will receive a notification and see the control highlighted on their Dashboard.

2. Read the Implementation Guidance

Each control includes a detailed guidance section explaining what needs to be done, why it matters, and examples of how to implement correctly. Read this section before starting implementation to ensure the evidence you collect is appropriate.

3. Collect Evidence

Evidence is proof that a control is working. You can add evidence in three ways:

• Manual Upload — Upload screenshots, reports, exported configurations, or other files that prove the control.
• Integration Collection — Connect integrations (AWS, GitHub, etc.) and Imara will automatically collect evidence from your tools.
• Document Link — Link an internal document (policy or procedure) as evidence for the control.
  
  

4. Run Tests

Tests are checks that validate whether a control is correctly implemented. There are two types:

• Automated Tests — Run continuously by connected integrations. If a security configuration changes, the test fails automatically and you are notified.
• Manual Tests — Require a team member to periodically confirm the control is active (e.g., quarterly access reviews).
  
  

Marking as Implemented

When all evidence is linked and tests are passing, the control status is automatically updated to Implemented. For controls without automated tests, the owner can manually mark the control as implemented after adding the necessary evidence.